Apple and Facebook helped bust the world's biggest torrent site

When you're the owner of the world's biggest torrent-sharing site, the last thing you'd expect to land you in trouble would be a totally legitimate (and legal) purchase via iTunes. But that's what happened to 30-year-old Ukrainian Artem Vaulin a.k.a "tirm," owner and operator of KickassTorrents (KAT), who was yesterday arrested and charged in Poland for criminal copyright infringement and money laundering. He's been accused of illegally reproducing and distributing hundreds of millions of copies of movies, video games, TV shows and music albums totalling more than $1 billion. The US is now waiting to extradite him.

Founded in 2008, the site has slowly grown to become the biggest torrent-sharing website in the world. It finally took the mantle in 2015 after The Pirate Bay experienced multiple raids, battled lengthy spells of downtime and its three founders were arrested. KAT counts more than 50 million unique monthly visitors and is estimated to be the 68th most frequently visited website on the internet -- according to Alexa.

In a 48-page criminal complaint (PDF) filed with the U.S. District Court in Chicago, the U.S. Attorney's Office reveals how it was able to track Vaulin. Jared Der-Yeghiayan, a special agent with the US Department of Homeland Security, was tasked with tracking the man behind KAT and it's his report that attempts to prove beyond any reasonable doubt that Vaulin should be brought to justice. This is how it played out.

The fake ad

From November 2015, an undercover IRS Special Agent spoke with a KAT representative about hosting an advertisement that would direct visitors to an undercover site. An agreement was made and the ad, which purportedly advertised a program to study in the United States, would be placed on individual torrent listings for $300 per day. When it finally went live on March 14th 2016, a link appeared underneath the torrent download buttons for five days. It was a short campaign, but it was enough to link KAT to a Latvian bank account, one that received €28 million ($31 million) in deposits -- mainly from advertising payments -- between August 2015 and March 2016.

This back-and-forth also enabled investigators to identify an important point of contact: the email address pr@kat.cr. Not only was it linked to website enquiries, it was the email associated with KAT's social media presences such as Facebook. Agents were able to obtain records from Facebook that showed the "official.KAT.fanclub." page was almost certainly associated with KAT.

Apple's involvement

Using basic website-tracking services, Der-Yeghiayan was able to uncover (via a reverse DNS search) the hosts of seven apparent KAT website domains: kickasstorrents.com, kat.cr, kickass.to, kat.ph, kastatic.com, thekat.tv and kickass.cr. This dug up two Chicago IP addresses, which were used as KAT name servers for more than four years. Agents were then able to legally gain a copy of the server's access logs (explaining why it was federal authorities in Chicago that eventually charged Vaulin with his alleged crimes).

Using similar tools, Homeland Security investigators also performed something called a WHOIS lookup on a domain that redirected people to the main KAT site. A WHOIS search can provide the name, address, email and phone number of a website registrant. In the case of kickasstorrents.biz, that was Artem Vaulin from Kharkiv, Ukraine.

Der-Yeghiayan was able to link the email address found in the WHOIS lookup to an Apple email address that Vaulin purportedly used to operate KAT. It's this Apple account that appears to tie all of pieces of Vaulin's alleged involvement together.

On July 31st 2015, records provided by Apple show that the me.com account was used to purchase something on iTunes. The logs show that the same IP address was used on the same day to access the KAT Facebook page. After KAT began accepting Bitcoin donations in 2012, $72,767 was moved into a Coinbase account in Vaulin's name. That Bitcoin wallet was registered with the same me.com email address.

What happens now?

Homeland Security has already asked that the seven KAT domains named in the complaint are forfeited for their role in facilitating piracy. Verisign is expected to seize the .com and .tv domains, while Mutual Legal Assistance Treaty (MLAT) requests will be sent to registrars in Costa Rica, Tonga and the Philippines. Homeland Security then expects those sites to be redirected to a server of its choosing.

Right now, KickassTorrents appears to still be up, at least via the numerous proxy services that support it. However, it's probably only a matter of time until it becomes a lot harder to find. While investigators already had a lot of evidence before they added the iTunes transaction to the mix, the idea that a legal media purchase could be the undoing of a piracy king kinda breaks the irony meter.